Ransomware goes to Hollywood medical centre

When malware goes to war: South California hospital unable to relax in the face of US$3.6 million (£2.4 million) demand from attackers

Computer systems at the Hollywood Presbyterian Medical Center (HPMC) have been taken down by a ransomware attack. The outage at the southern California hospital has lasted over a week at the time of reporting.

Given the rise in worldwide healthcare technology connectivity (much of it classed as new-breed Internet of Things devices) and the popularisation and proliferation of ransomware, industry commentators have already been predicting the rise in this kind of scenario.

HPMC appears to have had no dedicated cyber-defence team. As such, the staff has initially turned to the LAPD and the FBI in order to search for the hackers behind the ransomware demands.

The hospital's network was taken completely offline with the loss of some patient data and access to email. Hospital president and CEO Allen Stefanek also confirmed that the emergency room systems were ‘sporadically impacted' by the malware.

Quick, does the fax machine still work?

In terms of the total scope of the attack, computer systems responsible for CT scans, documentation, lab work and pharmacy functions were all compromised. Hospital staff are said to have reverted to using the telephone and the fax machine for communications.

The source, motivation and exact technical type of ransomware used all remain unknown. The only confirmed details available clarify that around 9000 bitcoins or just over $3.6 million dollars was the amount demanded.

Security metrics blogger David Ellis has said that ransomware has the potential to seriously affect both small and large organisations and the healthcare industry should be particularly concerned. “Data breaches against the healthcare industry have targeted [major US] providers like Anthem, Premera Blue Cross and Excellus and compromised more than 99 million patient records,” he confirms.

Ellis' statement reflects back to 2014, the number of patient records compromised worldwide in 2016 is certain to be far higher today.

Nobody has died from hospital ransomware, yet

In the Hollywood incident specifically, no loss of human life was reported. However, some patients were moved to neighbouring facilities.

Greg Enriquez, chief executive of TrapX, a cyber-security company that works with hospitals around the world was quoted on the Financial Times last year saying that his company has found “security flaws in a blood gas analyser, a medical image system and radiology equipment”.

He continued: “[We have also] found active malware, different strains of malware, we even found [non-activated] ransomware on one medical device [which could give the hacked the ability to prevent the device from working when it is in use].”

Speaking to SCMagazineUK.com on this story today was Troy Gill, manager of security research at AppRiver. Gill said that although most ransomware is in fact delivered by email, some variants have also been found hosted on websites. These website versions rely on a drive-by download technique in order to infect their victims.

Don't feed the fire

"Feeding the fire by paying these guys should be avoided if at all possible,” said Gill. “If you've been the victim of a ransomware attack and you're contemplating paying the ransom, keep in mind that the only reason these thieves keep perpetrating these attacks is because people are paying them. If all of the victims stopped paying ransoms, they wouldn't have a successful business model, whose core objective is to steal your money.”

Although we've heard some of this before, AppRiver's Gill restated the important truth that better security and user awareness can help minimise the likelihood of a ransomware infection. “Organisations that backup their files, update their software and hardware and have layered, redundant security, shouldn't find themselves in this predicament," he said.

Meanwhile, PhishMe has found that ransomware attacks are on the rise, with the most common form of delivery being through the use of phishing emails.

A list of attacks

Brendan Griffin, threat intelligence manager at PhishMe told SC: “It wouldn't surprise us if the attackers had accessed medical systems and devices through one staff member clicking a malicious link or attachment – after all, there have been so many attacks on healthcare providers that have been caused by phishing (Anthem, St. Vincent Medical Group and Seton Healthcare Family to name but a few) that we wouldn't expect attackers to change their tactics when they can see it's clearly working.”

Griffin advises that a ‘human phishing defence' could have made a difference in these historical examples and it's likely that this wasn't in place at HPMC.

“Furthermore, as they appeared to having no dedicated cyber-defence team, it's probable they had very little chance of stopping the attackers,” he said. “We've argued for years that prevention of this kind of thing is possible if you change employee behaviour to work as an adaptable first line of defence which, twinned with the right technology, will provide robust cyber-defences for organisations big and small.”